search

usefulteam / jwt-auth

WordPress JSON Web Token Authentication
https://wordpress.org/plugins/jwt-auth/
116 stars 49 forks source link

Whitelist dont work! #105

Closed gioiliop7 closed 1 year ago

gioiliop7 commented 1 year ago

I use the plugin for two months and the whitelist for the endpoints worked well. But from today the whitelist doesn't work and i have issues because in some endpoints the wp-json ask me for authorization header. I send you the whitelist function add_filter('jwt_auth_whitelist', function ($endpoints) { $whitelistedEndpoints = array( '/wp-json/api/v1/register-user/', '/wp-json/dokan/v1/*', ); return array_unique(array_merge($endpoints, $whitelistedEndpoints));});

Thank you

sun commented 1 year ago

Did you add or remove any plugins, update any plugins, or change any configuration?

gioiliop7 commented 1 year ago

I don't remember but the plugins i have used and i am using today, make another work, they don't affect authentication and requests. But, i have dokan which works with wp-json and i can't make it work with the jwt plugin because i cant get a response for the vendors as an example. May be the htcaccess? I dont think so but.. The requests with jwt when they have token, work but the whitelist not..

gioiliop7 commented 1 year ago

Try to change htcaccess, nothing worked. The problem is with the whitelist function. Maybe wants priority?

sun commented 1 year ago

I would recommend to go back to the last known working version/state of the site from backups. Afterwards you can redo the changes you were doing and test more frequently at what point it stops working.

Beyond that I don't see how the jwt-auth plugin would be the cause of issues, so I would suggest to close this issue.

The only additional pointer I can give you is that we removed the whitelist feature entirely from the new major version v3 that is (only) available on GitHub currently. This version is not available on WordPress.org yet, so you would only have it if you manually downloaded and installed the plugin from the source.

gioiliop7 commented 1 year ago

So in the new version how to whitelist endpoints?

gioiliop7 commented 1 year ago

`RewriteCond %{REQUEST_URI} ^/wp-json/ [NC] Satisfy any Allow from all

"I USE ABOVE LINES TO CLOSE THE AUTHENTICATION THAT SERVER HAS, to not have 2 authorization headers and conflict."

RewriteEngine On RewriteCond %{HTTP:Authorization} ^(.) RewriteRule ^(.) - [E=HTTP_AUTHORIZATION:%1] SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

BEGIN WordPress The directives (lines) between "BEGIN WordPress" and "END WordPress" are dynamically generated, and should only be modified via WordPress filters. Any changes to the directives between these markers will be overwritten.

RewriteEngine On RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L]

END WordPress `

This is my htaccess. Is there a problem there?

sun commented 1 year ago

So in the new version how to whitelist endpoints?

The whitelist has been removed altogether, so every endpoint of the REST API is reachable normally. The jwt-auth plugin no longer manipulates the access beyond the regular built-in access system of all endpoints.

gioiliop7 commented 1 year ago

Problem solved. There is a conflict with the plugin, WPForms Lite. I removed it and the whitelist works fine. Thank you.